Paranoid Penguin - Building a Secure Squid Web Proxy, Part IV

In my previous three columns [April, May and July 2009], I described the concept, benefits and
architectural considerations of outbound Web proxies (Part I);
discussed basic Squid installation, configuration and operation (Part II); and
explained Squid Access Control Lists (ACLs), its ability to run as an
unprivileged user and provided some pointers on running Squid in a chroot jail
(Part III).

Although by no means exhaustively detailed, those articles nonetheless
cover
the bulk of Squid's built-in security functionality (ACLs, running
nonroot and possibly running chrooted). This month, I conclude
this series by covering an important Squid add-on: squidGuard.

squidGuard lets you selectively enforce “blacklists” of Internet domains
and URLs you don't want end users to be able to reach. Typically,
people use squidGuard with third-party blacklists from various free and
commercial sites, so that's the usage scenario I describe in this article.

Introduction to squidGuard

Put simply, squidGuard is a domain and URL filter. It filters domains and
URLs mostly by comparing them against lists (flat files), but also,
optionally, by comparing them against regular expressions.

squidGuard does not filter
the actual contents of Web sites. This is
the domain of appliance-based commercial Web proxies such as Blue Coat, and
even products like that tend to emphasize URL/domain filtering over actual
content parsing due to the high-computing (performance) cost involved.

You may wonder, what have URL and domain filtering got to do with security?
Isn't that actually a form of censorship and bandwidth-use policing? On the
one hand, yes, to some extent, it is.

Early in my former career as a firewall engineer and administrator, I
rankled at management's expectation that I maintain lists of the most
popular URLs and domains visited. I didn't think it was my business what
people used their computers for, but rather it should be the job of their immediate
supervisors to know what their own employees were doing.

But the fact is, organizations have the right to manage their bandwidth
and other computing resources as they see fit (provided they're honest with
their members/employees about privacy expectations), and security
professionals are frequently in the best “position” to know what's
going on. Firewalls and Web proxies typically comprise the most convenient
“choke points” for monitoring or filtering Web traffic.

Furthermore, the bigger domain/URL blacklists frequently include categories
for malware, phishing and other Web site categories that do, in fact,
have direct security ramifications. For example, the free Shalla's
Blacklists include more than 27,600 known sources of spyware!

Even if you don't care about conserving bandwidth or enforcing
acceptable-use policies, there's still value in configuring squidGuard to
block access to “known dangerous” Web sites. That's precisely what I'm going
to show you how to do.

Getting and Installing squidGuard

If you run a recent version of Fedora, SUSE, Debian or Ubuntu Linux,
squidGuard is available as a binary package from your OS's usual software
mirrors (in the case of Ubuntu, it's in the universe repositories). If you
run RHEL or CentOS, however, you need to install either Dag Wieers' RPM
of squidGuard version 1.2, Excalibur Partners' RPM
of squidGuard version 1.4, or you'll have to
compile squidGuard from the latest source code, available at the squidGuard
home page (see Resources for the appropriate links).

Speaking of squidGuard versions, the latest stable version of squidGuard at
the time
of this writing is squidGuard 1.4. But, if your Linux distribution of choice
provides only squidGuard 1.2, as is the case with Fedora 10 and Ubuntu 9.04,
or as with OpenSUSE 11.1, which has squidGuard 1.3, don't worry. Your distribution
almost certainly has back-ported any applicable squidGuard 1.4 security
patches, and from a functionality standpoint, the most compelling feature
in 1.4 absent in earlier versions is support for MySQL authentication.

As noted above, squidGuard is in the universe repository, so you'll
either need to uncomment the universe lines in /etc/apt/sources.list, or
open Ubuntu's Software Sources applet, and assuming it isn't already
checked, check the box next to Community-maintained Open Source software
(universe), which will uncomment those lines for you.

Besides using apt-get from a command prompt to install squidGuard, you
could instead use the Synaptic package manager. Either of these three
approaches automatically results in your system's downloading and
installing a deb archive of squidGuard.

If you need a more-current version of squidGuard than what your
distribution provides and are willing to take it upon yourself to keep it
patched for emerging security bugs, the squidGuard home page has
complete instructions.

Squid has been working fine for several days, I have a fairly complex set of acls and http_access rules because I am trying to dole out computer time to my kids during the holidays. I am also trying to stop access to certain sites during my "peak time" allocated by my ISP. After working through the obvious errors that a relative newb introduces without meaning to, it is stable, and predictable in behaviour and performance. Suffice to say that I have stripped the squid.conf of unneccesary clutter (comments and unused settings) and have added some structure to it that makes sense to me when going in to tweak it. I do have the original file in two places for referencing when I get into trouble, so can always reinstall and add my tweaks if needed.

Next step was to add squidguard for a deeper level of filtering...

So, I have assiduously followed the instructions here even to the point of copying the errors which reveal themselves on re-reading, e.g. "bash-$ /etc/init.d/squid reload" is missing sudo at the start of the line (it is dereferenced in the preceeding paragraph. After correcting the obvious errors

However, the moment I reload squid or restart squid it fails to load

I actually rebuilt a server because this happened the first time (over a week ago now) thinking that I had damaged some system files (of course I hadn't , but it was worth the practice of installing a new version of the server anyway)

So what can I be doing wrong? The only thing that makes sense is that I am adding the squidguard lines in the wrong place, but after having reviewed the original squid.conf my original placement was correct. So, are there any hidden traps for beginners that aren't mentioned in the article.

I had used parantheses () instead of curly braces {}, which with my eyesight the way it is these days (even with my computer prescription glasses) are so similar to a glance rather than a close inspection, that it totally slipped on by

Caught by the worst of the gotchas for newbs who aren't new to programming (hangs head in shame)

Ah, well, at least if anyone else runs across this there is a solution already (I'd gone looking for the matching braces problem and found the bigger one)

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.